“The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information,” the organisation said in a statement. “It also found that the company failed to be transparent about how people’s data was harvested by others.”

Future violations will be able to be punished much more strictly, however: Under GDPR, the EU’s new data protection legislation, companies can be fined up to €20 million or 4% of their global annual turnover, whichever is higher. (GDPR was not applicable because the offenses took place before it came into effect.)

In a statement, Information Commissioner Elizabeth Denham said: “New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters. But this cannot be at the expense of transparency, fairness and compliance with the law.”

“Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system,” she said.

Facebook says it will respond “soon”

The ICO is also launching a criminal prosecution against SCL Elections, an organisation affiliated with Cambridge Analytica, and has sent warning letters to 11 political parties and “notices compelling them to agree to audits of their data protection policies.”

Facebook has a chance to respond to the ICO before a final decision is made on the fine. The company has said it plans to do so “soon.”

In an emailed statement, Facebook chief privacy officer Erin Egan said: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”

Politicians are calling for greater transparency from Facebook in light of the ICO fine. Damian Collins MP, the chair of the Digital, Culture, Media and Sport Committee that has been investigating Cambridge Analytica, said: “Given that the ICO is saying that Facebook broke the law, it is essential that we now know which other apps that ran on their platform may have scraped data in a similar way. This cannot by left to a secret internal investigation at Facebook. If other developers broke the law we have a right to know, and the users whose data may have been compromised in this way should be informed.

“Facebook users will be rightly concerned that the company left their data far too vulnerable to being collected without their consent by developers working on behalf of companies like Cambridge Analytica. The number of Facebook users affected by this kind of data scraping may be far greater than has currently been acknowledged. Facebook should now make the results of their internal investigations known to the ICO, our committee and other relevant investigatory authorities.”